Exposing the gateway with a tunnel
To reach your local merido from another machine (or share it temporarily) without opening a port or deploying, you can expose it through a Cloudflare quick tunnel or a Tailscale Funnel. Both are managed from the dashboard's Tunnel page (or the API below).
Authenticate before you expose
A tunnel puts your gateway on the public internet. merido refuses to start a tunnel unless the gateway is authenticated — you must set a dashboard password (MERIDO_DASHBOARD_PASSWORD_HASH) and/or require API keys (MERIDO_REQUIRE_API_KEY=true) first. See Deploy to production for the full hardening checklist.
The auth precondition
Both enable endpoints run an auth guard. If neither a dashboard password nor API-key enforcement is configured, enabling is refused with HTTP 412 Precondition Failed and an error code of auth_not_configured:
{
"error": "refusing to expose an unauthenticated gateway over a public tunnel",
"hint": "set MERIDO_DASHBOARD_PASSWORD_HASH and/or MERIDO_REQUIRE_API_KEY=true …",
"code": "auth_not_configured"
}If you understand the risk, you can override by sending {"force": true} in the enable request body — but the safe path is to configure auth first.
Cloudflare quick tunnel
GET /api/tunnel/status
POST /api/tunnel/enable
POST /api/tunnel/disableEnabling auto-downloads the cloudflared binary into the data dir if it isn't already on PATH, starts a quick tunnel to the local port, and returns a public https://<random>.trycloudflare.com URL once it's up (a ~30 s startup window). Enabling while already running is idempotent. POST /api/tunnel/disable terminates the cloudflared process and tears the tunnel down (also idempotent).
Tailscale Funnel
GET /api/tunnel/tailscale/status
POST /api/tunnel/tailscale/enable
POST /api/tunnel/tailscale/disableTailscale Funnel exposes the gateway at a stable https://<hostname>.ts.net URL on your tailnet. Unlike Cloudflare, it requires the tailscale CLI to already be installed and logged in (no auto-download). Enabling runs tailscale funnel; disabling resets it. The same 412 auth precondition applies.
If Funnel hasn't been enabled for your tailnet yet, enable returns HTTP 409 Conflict whose body contains the admin URL you must visit to turn the Funnel feature on for the org — open it, enable Funnel, then retry.
Teardown
Call the matching disable endpoint (or the dashboard toggle) to stop a tunnel. Disable is idempotent, so it's safe to call even if the tunnel is already down. Stopping merido also ends the tunnel.
Related
- Deploy to production — hardening you must do before exposing the gateway.
- TLS interception (MITM) — a different networking feature, for capturing local coding-CLI traffic.